Establishing Control in an Uncertain AI Landscape

Establishing Control in an Uncertain AI Landscape

Establishing Control in an Uncertain AI Landscape: A Top 10 US Bank’s GenAI Risk & Control Framework

A leading US bank confronted the challenge of governing generative AI—balancing innovation with control in a landscape of uncertainty.

The Challenge

As generative AI accelerated across the enterprise, the Bank faced a strategic dilemma: How can we scale innovation without compromising control?

Traditional risk frameworks—built for deterministic software—were not designed to govern systems that:

  • Produce non-repeatable outputs
  • Learn from evolving data sources
  • Operate across diverse business contexts with varied user intent
  • Resist conventional testing, tracing, or forecasting methods

Without a tailored approach, the Bank risked:

  • Overlooking latent AI failure modes
  • Misclassifying or underestimating risk exposures
  • Losing regulatory confidence in the maturity of its oversight

The Solution

Rational Exponent delivered a GenAI Risk & Control Framework, grounded in a new perspective: AI risk must be understood not only by outputs, but by the conditions under which it activates.

The framework introduced:

  • Two-Tier Risk Classification — Category 2 risks are latent, arising from the foundational capability itself; Category 3 risks are realized, triggered by user intent, timing, and context.
  • Risk-to-Control Mapping — Aligning controls to when and where risks are likely to manifest.
  • Lifecycle-Based Guidance — Ensuring timely and proportional risk mitigation.
  • Unified Framework — Bridging builders, business users, compliance, and risk functions.

The Outcome

The Bank gained:

  • Clarity on what makes GenAI risky—and under what conditions
  • Precision in applying the right controls at the right lifecycle point
  • Confidence to scale AI responsibly without overregulation or blind spots
  • Credibility with regulators through evidence-based oversight

Insight

AI risk is not static—it is dynamic, conditional, and emergent.

This framework equips the Bank to manage not just what AI is, but what it may become under real-world conditions. Governance shifted from reactive oversight to a strategic capability.

“AI risk is not static—it is dynamic, conditional, and emergent.”

Second Line Risk Officer, Top 10 US Bank